SECTION 8.1 


Rl . What are the differences between message confidentiality and message 
integrity? Can you have confidentiality without integrity? Can you have 
integrity without confidentiality? Justify your answer. 

R2. Internet entities (routers, sw itches. DNS servers, Web servers, user end sys- 
tems. and so on) often need to communicate securely. Give three specific 
example pairs of Internet entities that may w ant secure communication. 


Chapter 8 Review Questions 

1. Confidentiality is the property that the original plaintext message can not be 
determined by an attacker who intercepts the ciphertext- encryption of the original 
plaintext message. Message integrity is the property that the receiver can detect 
whether the message sent (whether encrypted or not) was altered in transit. The two 
are thus different concepts, and one can have one without the other. An encrypted 
message that is altered in transmit may still be confidential (the attacker can not 
determine the original plaintext) but will not have message integrity if the error is 
undetected. Similarly, a message that is altered in transit (and detected) could have 
been sent in plaintext and thus would not be confidential. 

2. User’s laptop and a web server: (ii) two routers: (iii) two DNS name servers. 


R3. From a service perspective, what is an important difference between a 
symmetric-key system and a public-key system? 

R4. Suppose that an intruder has tin encrypted message as well as the decrypted 
version of that message. Can the intruder mount a ciphertext-only attack, a 
known-plaintext attack, or a chosen-plaintext attack? 

R5. Consider an 8-block cipher. How' many possible input blocks does this cipher 
have? How many possible mappings are there? If we view each mapping as a 
key. then how many possible keys does this cipher have? 


3. One important difference between symmetric and public key systems is that in 
symmetric key systems both the sender and receiver must know the same (secret) key. 
In public key systems, the encryption and decryption keys are distinct. The 
encryption key is known by the entire world (including the sender), but the decryption 
key is known only by the receiver. 

4. In this case, a known plaintext attack is performed. If somehow, the message 
encrypted by the sender was chosen by the attacker, then this would be a chosen- 
plaintext attack. 

g 

5 . An 8-block cipher has 2 possible input blocks. Each mapping is a permutation of the 
2 S input blocks: so there are 2 S ! possible mappings: so there are 2 E ! possible keys. 


R6. Suppose N people want to communicate with each of /V - 1 other people 
using symmetric key encryption. All communication between any two peo- 
ple, / and j. is visible to all other people in this group of N. and no other per- 
son in this group should be able to decode their communication. How many 
keys are required in the system as a whole? Now suppose that public key 
encryption is used. How many keys are required in this case? 

R7. Suppose n = 10.000. a = 10.023. and b = 10.004. Use an identity of modular 
arithmetic to calculate in your head (a • b) mod n. 

R8. Suppose you want to encrypt the message 10101 111 by encrypting the deci- 
mal number that corresponds to the message. What is the decimal number? 
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R9. In what way does a hash provide a better message integrity check than a 
checksum (such as the Internet checksum)? 


6. If each user wants to communicate with N other users, then each pah of users must 
have a shared symmetric key. There are N*(N-l)/2 such pairs and thus there are 
N*(N-l)/2 keys. With a public key system, each user has a public key which is 
known to all. and a private key (which is secret and only known by the user). There 
are thus 2N keys in the public key system. 

7. a mod n = 23 . b mod n = 4. So (a*b) mod n = 23*4=92 
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9. One requirement of a message digest is that given a message M. it is very difficult to 
find another message M’ that has the same message digest and. as a corollary, that 
given a message digest value it is difficult to find a message M” that has that given 
message digest value. We have “message integrity'’ in the sense that we have 
reasonable confidence that given a message M and its signed message digest that the 
message was not altered since the message digest was computed and signed. This is 


not true of the Internet checksum, where we saw in Figure 7.18 that it easy to find 
two messages with the same Internet checksum. 


RIO. Can you “decrypt” a hash of a message to get the original message? Explain 
your answer. 

R 1 1 . Consider a variation of the MAC algorithm (Figure 8.9) where the sender 
sends (m. Him) + s). where Him) + s is the concatenation of Him) and s. Is 
this variation flawed? Why or why not? 


R 1 2. What does it mean for a signed document to be verifiable and non-forgeable? 

RI3. In what way does the public-key encrypted message hash provide a better 
digital signature than the public-key encry pted message? 

10. No. This is because a hash function is a one-way function. That is. given any hash 
value, the original message cannot be recovered (given h such that h=H(m). one 
cannot recover m from h). 

1 1 . This is scheme is clearly flawed. Trudy, an attacker, can first sniff the communication 
and obtain the shared secret s by extracting the last portion of digits from H(m)+s. 
Trudy can then masquerade as the sender by creating her own message t and send (t. 
H(t)+s). 

12. Suppose Bob sends an encrypted document to Alice. To be verifiable. Alice must be 
able to convince herself that Bob sent the encrypted document. To be non-forgeable. 
Alice must be able to convince herself that only Boh could have sent the encrypted 
document (e.g.,. no one else could have guessed a key and encrypted sent the 
document) To be non -reputable. Alice must be able to convince someone else that 
only Bob could have sent the document. To illustrate the latter distinction, suppose 
Bob and Alice share a secret key. and they are the only ones in the world who know 
the key. If Alice receives a document that was encrypted with the key. and knowrs 
that she did not encrypt the document herself, then the document is known to be 
verifiable and non-forgeable (assuming a suitably strong encryption system was 
used). However. Alice cann ot convince someone else that Bob must have sent the 
document, since in fact Alice knew the key herself and could have encrypted sent the 
document. 

13. A public -key signed message digest is "better" in that one need only encrypt (using 
the private key) a short message digest, rather than the entire message. Since public 
key encryption with a technique like RSA is expensive, it’s desirable to have to sign 
(encrypt) a smaller amount of data than a larger amount of data. 


R 14. Suppose certifier.com creates a certificate for foo.com. Typically, the entire 
certificate would be encrypted with certifier.com's public key. True or False? 

R 1 5. Suppose Alice has a message that she is ready to send to anyone who asks. 

Thousands of people want to obtain Alice’s message, but each w ants to be sure 
of the integrity of the message. In this context, do you think a MAC-based or a 
digital-signature-based integrity scheme is more suitable? Why? 

R16. What is the purpose of a nonce in an end-point authentication protocol? 

R17. What does it mean to say that a nonce is a once-in-a-lifetime value? In whose 
lifetime? 

R18. Is the message integrity scheme based on HMAC susceptible to playback 
attacks? If so, how can a nonce be incorporated into the scheme to remove 
this susceptibility? 
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R 19. Suppose that Bob receives a PGP message from Alice. How does Bob know r 
for sure that Alice created the message (rather than. say. Trudy)? Does PGP 
use a MAC for message integrity? 

R20. In the SSL record, there is a field for SSL sequence numbers. True or False? 

14. This is false. To create the certificate, certifier. coin would include a digital signature, 
which is a hash of foo. coin's information (including its public key), and signed with 
certifier. corn’s private key. 

15. For a MAC-based scheme. Alice would have to establish a shared key with each 
potential recipient. With digital signatures, she uses the same digital signature for 
each recipient: the digital signature is created by signing the hash of the message with 
her private key., Digital signatures are clearly a better choice here. 

16. The purpose of the nonce is to defend against the replay attack. 


17. Once in a lifetimes means that the entity sending the nonce will never again use that 
value to check whether another entity is "live"'. 


IS. In a man- in-the -middle attack, the attacker puts himself between Alice and Bob. 
altering the data sent between them. If Bob and Alice share a secret authentication 
key. then any alterations will be detected. 


19. Alice provides a digital signature, from which Bob can verify that message came 
from Alice. PGP uses digital signatures, not MACs, for message integrity. 


20. False. SSL uses implicit sequence numbers. 


R2 1 . What is the purpose of the random nonces in the SSL handshake? 

R22. Suppose an SSL session employs a block cipher with CBC. True or False: 

The server sends to the client the IV in the clear? 

R23. Suppose Bob initiates a TCP connection to Trudy w ho is pretending to be 
Alice. During the handshake, Trudy sends Bob Alice’s certificate. In what 
step of the SSL handshake algorithm will Bob discover that he is not commu- 
nicating with Alice? 

R24. Consider sending a stream of packets from Host A to Host B using IPsec. 

Typically, a new r SA will be established for each packet sent in the stream. 

True or False? 

R25. Suppose that TCP is being run over IPsec between headquarters and the 

branch office in Figure 8.28. If TCP retransmits the same packet, then the tw o 
corresponding packets sent by R1 packets will have the same sequence num- 
ber in the ESP header. True or False? 

R26. An IKE SA and an IPsec SA are the same thing. True or False? 

R27. Consider WEP for 802. 1 1 . Suppose that the data is 10101 100 and the 
keystream is 1 1 1 1000. What is the resulting ciphertext? 

R28. In WEP, an IV is sent in the clear in every frame. True or False? 

21. The purpose of the random nonces in the handshake is to defend against the 
connection replay attack. 

22. True. The IV is always sent in the clear. In SSL. it is sent during the SSL handshake. 

23. After the client will generate a pre-master secret (PMS). it will encrypt it with Alice's 
public key. and then send the encrypted PMS to Trudy. Trudy will not be able to 
decrypt the PMS. since she does not have Alice's private key. Thus Trudy will not be 
able to determine the shared authentication key. She may instead guess one by 
choosing a random key. During the last step of the handshake, she sends to Bob a 
MAC of all the handshake messages, using the guessed authentication key. When 
Bob receives the MAC. the MAC test will fail, and Bob will end the TCP connection. 

24. False. Typically an IPsec SA is first established between Host A and Host B. Then all 
packets in the stream use the SA. 

25. False. IPsec will increment the sequence number for every packet it sends. 

26. False. An IKE SA is used to establish one or more IPsec SAs. 

27. 01011100' 


28. True 


R29. Stateful packet filters maintain two data structures. Name them and briefly 
describe w hat they do. 

R30. Consider a traditional (stateless) packet filter. This packet filter may filter 
packets based on TCP flag bits as well as other header fields. True or False? 

R3 1 . In a traditional packet filter, each interface can have its ow n access control 
list. True or False? 

R32. Why must an application gateway work in conjunction with a router filter to 
be effective? 


29. Filter table and connection table. The connection table keeps track of connections, 
allowing for a finer degree of packet filtering. 

30. True 

3 1 . True 

32. If there isn’t a packet filter, than users inside the institution’s network will still be 
able to make direct connections to hosts outside the institution’s network. The filter 
forces the users to first connect to the application gateway. 


